Vendor layers-on spam protection

Tumbleweed Communications , which develops anti-spam and anti-virus software, is putting up a new line of defense to help corporations combat malicious traffic targeted at their e-mail servers.

The company last week introduced an appliance called MailGate Edge, a relay server that sits at the edge of a corporate network and deflects malicious e-mail-based traffic before it reaches internal systems.

Tumbleweed refers to these malicious transmissions as "dark traffic." The company says dark traffic includes not only spam but also denial-of-service and directory-harvest attacks, malformed SMTP packets, and other requests and communications that are not legitimate mail.

MailGate Edge is designed to recognize these threats and prevent them from reaching a targeted mail server. The benefits for corporate users are fewer messages to process in their anti-spam and anti-virus software, and less load on e-mail servers.

"This notion of a two-tier approach to spam blocking is the wave of the future," says Matt Cain, an analyst with Meta Group. "You will have the equivalent of a front-end processor that will work at the SMTP and the IP level in the case of spam. Using a variety of protocol-level techniques, you will be able to filter out 50% of spam. The spam that does get through will be interrogated further by a spam engine."

Cain says the result will be a steep reduction in the amount of junk corporate mail systems must process.

Tumbleweed is not the only vendor pushing this two-tier approach. A few weeks ago, Symantec introduced its Mail Security 8100 appliance, which is designed as an edge server to block spam. The appliance is expected to ship next month.

MailGate Edge looks at packet and application layers, including sender IP addresses, message volume, recipients and other characteristics of SMTP connections to determine behavior patterns that reveal malicious activity.

The Linux-based appliance has an administrative console for setup and a reporting engine that can perform threat analysis on selected traffic. It also has traffic-shaping and IP-throttling capabilities so traffic can be slowed and examined before cutting off access. The relay server also can hide internal IP addresses from the outside world.

Because MailGate Edge drops packets it determines are up to no good, there is no quarantine and no storage of messages.

MailGate Edge can process 150,000 messages per hour, per appliance, and works with all major e-mail servers, including Microsoft Exchange, IBM/Lotus Notes/Domino and Novell's GroupWise.

"We look at Layers 3 through 7 on the network stack," says Jeff Smith, CEO of Tumbleweed. "We don't do content inspection. We look at the [message] envelope, the IP address, the traffic patterns."

MailGate Edge is priced starting at $5,000 per appliance.